What is privilege escalation?
Privilege escalation is when hackers gain additional privileges that do not normally belong to them. They do this by abusing bugs, configuration flaws or design weak spots in an application or operating system. Depending on the privileges they gain, hackers can use them to access protected data and eventually do whatever they want on your system etc.
What types of privilege escalation attacks are there?
- Horizontal privilege escalation occurs when a hacker uses someone else’s similarly privileged account. The hacker remains on the same privilege level, but can access another user’s data and act on their behalf.
- Vertical privilege escalation (also known as privilege elevation) is when a hacker uses a less-privileged account to obtain higher (usually admin) privileges. With root or kernel access to a device, a hacker can retrieve data, change settings and manipulate your system in almost any way. This is much more difficult than a horizontal attack, but can also cause much more damage.
How does privilege escalation happen?
There are many techniques to implement such a cyber attack. Most of them target particular operating systems and have specific mitigation techniques. We list some of the more common ones below.
Access Token Manipulation
Some operating systems use access tokens to determine the owner of a running process. The access token identifies the user, their privileges, and contains their session’s security credentials. A hacker can trick the system and make a token to identify themselves as a legitimate user. By claiming a token, the hacker also gets all of the permissions associated with it. An attacker needs to already possess administrative rights to use this attack. They usually employ this method to elevate their privileges from the admin to the system level.
There are three ways to execute this technique:
- Copying an existing token by using the Windows DuplicateTokenEx function. A hacker can then use the ImpersonateLoggedOnUser command to allow a process to impersonate a logged-on user’s security context. Also, by using the SetThreadToken function, he/she may then apply this impersonated token to a process.
- Creating a new process using the security permissions provided by a stolen token.
- Use the user’s username and password to initiate a login session (if they aren’t logged into the system) with the LogonUser function. This will generate a new token that an attacker can assign to a process.
Bypassing User Account Control (UAC)
Windows User Account Control manages privileges for users within a device. It protects devices from unwanted intrusions by automatically limiting the privileges of users unless an admin increases them. However, if UAC’s settings are not set to the highest level, it can grant an application elevated privileges without notifying the user. Hackers can use these apps to gain administrative rights or inject malware.
Process injection is the technique of injecting code into an active process. The code might grant access to another process’s resources and, eventually, to its privileges. As the code is shielded behind a legitimate process, security systems will be less likely to spot it.
A hacker might implement privilege escalation attack by means of social engineering. They can implement it by sending a malicious file and convincing you to run it or injecting malware into your system hereby gaining your account privileges on impacted systems.
Windows Accessibility features can be launched with a key combination prior to logging into the operating system. A hacker might manage to modify accessibility settings without having to log in and create a backdoor entrance into the system.
What is the best defense against privilege escalation?
To minimize privilege escalation vulnerabilities, consider the following measures:
- Use strong passwords and never use the same ones within a single network.
- Give users the minimum privileges they need. It is safer to grant privileges on an as-needed basis. If a hacker gains access to an account, they will have fewer tools to work with.
- Keep your software updated and always use cutting-edge security measures.
- Do not leave default security settings. While this might seem obvious, it is a pretty common mistake leaving the door wide open to adversaries. They may easily crack default passwords, bypass UAC systems. Make sure you always have security function set at their highest.
- Do not give admin rights to new users or users you do not fully trust.
- Run applications with the minimum privileges to limit the impact done by hackers in the event of a successful attack.
- Encrypt your communication and internal data. This will create an additional barrier for a cybercriminal out to obtain your data.